<html>
    
    <head>
        <!-- dominatrixss -->
        <script src="csp.js">
            
        </script>
        <style>
            div#main {
                margin-left:100px;
                margin-top:100px;
            }
        </style>
    </head>
    
    <body>
        <!-- Turn on CSP -->
        <script>
            dominatrixss.addWhitelistTag("a");
            dominatrixss.addWhitelistTag("div");
            dominatrixss.addWhitelistHandler("onclick");
            dominatrixss.addWhitelistHandler("onload");
            dominatrixss.run();
        </script>
        <!-- legit scripts -->
        <script>
            console.log("Inline test passed.");

            function onclick1() {
                document.getElementById("onload").innerHTML = "2. Inline event test <span style='color:#0f0;'>passed</span>";
            }

            function dynamic1() {
                var div = document.getElementById("main");
                var stag = document.createElement("script");
                stag.setAttribute("src", "test.js");
                document.body.appendChild(stag);
            }

            function dynamic2() {
                var script = document.createElement("script");
                script.innerHTML = "console.log('Dynamic inline test passed.')";
                document.body.appendChild(script);
	}

	//parameter fetch
	function gup( name )
	{
	  name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
	  var regexS = "[\\?&]"+name+"=([^&#]*)";
	  var regex = new RegExp( regexS );
	  var results = regex.exec( window.location.href );
	  if( results == null )
	    return "";
	  else
	    return results[1];
	}
	
        </script>
        <!-- malicious scripts -->
        <script>
		window.addEventListener("load", attack1, false);

            function attack1() {
                var str = "<a onclick =\"console.log('Attack code #1 is running.');\">6. Click me and you should see get a CSP console warning.</a>";
                var div = document.getElementById("evil");
		div.innerHTML = str;

		//DOM XSS via document.location
		//TODO: this won't work cuz innerHTML won't execute
		var payload = gup("xss");
		var atkstr = "7. Malicious payload injected with xss parameter: "+"<a href='"+payload+"'>Click Me!</a>";
		div = document.getElementById("evil1");
		div.innerHTML = atkstr;
			
            }

            function attack2() {
                var script = document.createElement("script");
                script.setAttribute("src", "http://http://code.jquery.com/jquery-1.8.1.min.js");
                document.body.appendChild(script);
            }
        </script>
        <div id="main">
            <p>This is a testing page for the dominatrixss CSP module</p>
            <div>1. Console should output: inline test passed.</div>
	    <div id="onload" onclick="onclick1()">2. Click me and see me change!</div>	
	    <a onclick="console.log('Onload test passed.')">3. Click me to see the console message: "Onload test passed"</a>

	    <br>	
	    <a onclick="dynamic1()">4. Click me to see the console message: "Dynamic src test passed"</a>

	    <br>	
	    <a onclick="dynamic2()">5. Click me to see the console message: "Dynamic inline test passed"</a>

	    <div id="evil"></div>	
	    <div id="evil1"></div>
	    <a onclick="attack2()">8. Click me and you should get a CSP console warning.</a>
	    <br>
	    <a href="javascript:console.log('JS URL test passed!')">9. Click me and you should see the console message: "JS URL test passed!"</a>

        </div>
    </body>

</html>
